This site has been retired. For up to date information, see handbook.gnome.org or gitlab.gnome.org.


[Home] [TitleIndex] [WordIndex

Gnome Keyring: Automatic Unlocking / PAM

Gnome keyring can automatically unlock the 'login' keyring when the user logs in. Other keyrings or key storage may have their unlock passwords stored in the 'login' keyring, and are then automatically unlocked when necessary.

How it Works

Configuring Gnome Keyring's PAM Support

This is usually installed by default by a distro or OS distributor.

To check if your distro or OS has support for this:

To see if a 'login' keyring exists (it's created automatically):

Beware that if you install configure this yourself, it's possible to lock yourself out of your machine. Make sure you know what you're doing, and how to fix any problems that arise.

These instructions are general, and may not work on your machine. You may be able to find more specific instructions on forums for your OS or distro.

First figure out where your PAM modules are located. Make note of the directory:

Build gnome-keyring with the PAM configure options. Use the PAM module directory as the argument for --with-pam-dir

In /etc/pam.d/gdm, add lines like this at the end of the 'auth', 'session' blocks. The 'session' line below should come towards the end of the other 'session' lines. This allows other modules like the pam systemd module to setup environment variables.

In /etc/pam.d/gnome-screensaver, add a line like this to the 'auth' block:

In /etc/pam.d/passwd, add a line like this to the 'password' block:

Options of the PAM module

Detailed manual

Advanced configuration

Distributions often integrate the pam_gnome_keyring.so configuration with their common PAM stack (with files such as /etc/pam.d/common-auth). However, some advanced usage of PAM might make it hard to use the PAM module.

Issue with sufficient

For example, let's consider the case where /etc/pam.d/gdm looks like:

and /etc/pam.d/common-auth looks like:

The sufficient control value will make PAM return without evaluating the pam_gnome_keyring.so module if the authentication succeeds with pam_winbind.so. In such a case, the substack control value can be used to make sure that the pam_gnome_keyring.so module will have access to the right secret token. substack is only supported on Linux.

Potential solution

/etc/pam.d/gdm would then be:

/etc/pam.d/common-auth would look like:

/etc/pam.d/real-common-auth would look like:


2024-10-23 11:37